Skip to content

downloads anything via invalid versions #158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ChALkeR opened this issue Apr 23, 2025 · 0 comments
Open

downloads anything via invalid versions #158

ChALkeR opened this issue Apr 23, 2025 · 0 comments

Comments

@ChALkeR
Copy link

ChALkeR commented Apr 23, 2025
edited
Loading

jsvu/README.md

Line 168 in 614a799

_jsvu_ downloads files over HTTPS, and only uses URLs that are controlled by the creators of the JavaScript engine or, in the case of JavaScriptCore on Linux, the port maintainers.

only uses URLs that are controlled by the creators of the JavaScript engine or, in the case of JavaScriptCore on Linux, the port maintainers.

This is not true

Image

And will attempt to create a /GoogleChromeLabs (controlled) dir in the fs

Please add both (1) input validation and (2) asserts before downloading / fs ops that we are operating in the correct allowed locations

Also see #159

Likely isn't worth a private security report. Those are not enabled in this repo settings anyway
@ChALkeR ChALkeR mentioned this issue Apr 23, 2025
Closed
@ChALkeR ChALkeR changed the title downloads anything via invalid urls downloads anything via invalid versions Apr 23, 2025
@ChALkeR ChALkeR mentioned this issue Apr 23, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ChALkeR